TweLEX: A Tweaked Version of the LEX Stream Cipher

TweLEX: A Tweaked Version of the LEX Stream

Cipher

Mainack Mondal?_{, Avik Chakraborti, Nilanjan Datta}??_, Debdeep Mukhopadhyay? ? ?

Abstract. LEXis a stream cipher proposed by Alex Biryukov. It was se-lected to phase 3 of the eSTREAM competition.LEXis based on the Ad-vanced Encryption Standard (AES) block cipher and uses a methodology calledLeak Extraction, proposed by Biryukov himself. However Dunkelman and Keller show that a key recovery attack exists againstLEX. Their attack requires 236_.3

bytes of keystream produced by the same key and works with a time complexity of 2112

operations. In this work we exploreLEXfurther and have shown that under the assumption of a related key model we can obtain 24 secret state bytes with a time complexity of 296

and a data com-plexity of 254_.3

. Subsequently, we introduce a tweaked version ofLEX, called TweLEX, which is shown to resist all known attacks againstLEX. Though the throughput ofTweLEX is half of LEX, it is still 1.25 times faster thanAES,

the underlying block cipher. This work attempts to revive the principle of

leak extractionas a simple and elegant method to design stream ciphers.

Keywords:Leak Extraction, Differential cryptanalysis, Tweak, Advanced Encryption Standard.

1

Introduction

LEX_{is a stream cipher designed by Alex Biryukov [1] using the round} transforma-tions of the Advanced Encryption Standard (AES_{). The proposal was built on the} concept ofleak extraction[1] and was based on the analysis of the diffusion of the transformations of AES_{to decide the extent of the leakand its frequency.}LEX_{is a} 128 bit key stream cipher, which is developed by extracting 32 bits from the state matrix of AES_{after each round of the cipher. The property of}LEX_{, which makes it} cryptanalytically different fromAES_{is that the attacker never sees the entire 128} bit ciphertext, but sees a portion of it. The design objective ofLEX_{was to design a} fast stream cipher, and indeed was faster thanAES_{in both hardware and software} by 2.5 times.

LEX_{was selected as a candidate for eSTREAM competition and was seriously} considered till the third phase for its elegance in construction, faster operation speed and high security margin. Its simplicity in construction attracted cryptan-alytic efforts ([2] [3]) from several researchers. In response Biryukov submitted a tweaked version ofLEX_{to the second phase of the eSTREAM competition in 2007,} which could counter these attacks. However in 2008, Dunkelman and Keller [4] proposed a key recovery attack ontweaked LEX_{which required 2}36.3 _{bytes of} key-stream produced by the same key and had time complexity of 2112_{. This attack}

removedLEX_{from the final portfolio of eSTREAM. In spite of the above attacks,}

?_{MPI-SWS, Germany ([email protected])}

it may be appreciated thatLEX_{is a stream cipher with high security margin while} at the same time having an extremely simple design. The other selling point of LEX_{is that, the principle ofleak extractionmay be generalized to any block cipher,} thus motivating deeper investigations of its strength.

The motivation of the present work is to modify LEX_{, so as to prevent all} known attacks against the original cipher. In this work, we show further that under a related key model, 24 secret bytes can be recovered using an attack which has a time complexity of 296_{and a data complexity of 2}54.3_{. This work motivates}

the tweaking of LEX _{into a modified cipher called} TweLEX_{, to resist the original} attacks by Dunkelman and Keller[4] and also other differential attacks. The work investigates the interesting idea of leak extractionfor constructing robust stream ciphers from block ciphers. Although TweLEX _{is slower than} LEX_{, it is still 1.25} times faster than the block cipherAES_.

Organization

The paper is organized as follows: In Section 2 we describe the background of this paper. In Section 3 we describe the differential trail identified in theAES_key schedule that we use to analyze LEX_{. Section 4 presents the related key based} analysis to recover secret state bytes of LEX_{. The attack algorithm is analyzed} for its data and time complexity in Section 5. The tweaked description of LEX_is presented in Section 6, and we conclude this work in Section 7.

2

Preliminaries

2.1 Description of AES

The Advanced Encryption Standard (AES_{) is an 128 bit block cipher. It supports} three key sizes, 128, 192 and 256. The construction ofLEX_{is based on the structure} of AES_{. So we describe the structure of} AES_{very briefly.}

AES_{considers a 128 bit plaintext as a byte matrix or state matrix of size 4×4.} Here each byte represents an element ofGF(28_{). The state matrix undergoes 10}

AES_{rounds of transformation for each}AES_{encryption. An}AES_{round consists of 4} operations applied to the state matrix in the following order :

– SubByte−An invertible non-linear transformation performed on each byte.

– ShiftRow (SR)−The bytes of the state matrix are permuted.

– MixColumn (MC)−Each column of the state matrix is multiplied by a con-stant 4×4 matrix.

– AddRoundKey (ARK) − The state matrix is xor-ed with a 128 bit round subkey.

For the ARK operation, 10 rounds anAES_{encryption requires a total of 10 subkeys.} An extra subkey is also needed for‘key whitening’ step before the first round.AES derives these 11 subkeys from the original key using a key schedule algorithm [5].

2.2 Description of LEX

first phase or key initialization phase we choose a random stringIV _{and encrypt} it using AES _{encryption. Let us call this encrypted} IV _{S. In the key generation} phaseSis encrypted using AES0 _{in the output feedback mode. During each round} ofAES0 _{4 bytes from the state matrix areleaked as the output bytes of} LEX_{. Thus} for eachAES0 _{encryption we have 40 keystream bytes from}LEX_{. The bytes leaked}

odd rounds even rounds

b b b b

b

b b b b

b b

b b

b

b b

0,0 0,1 0,2 0,3 1,0 1,1 1,2 1,3 2,0 2,1 2,2 2,3 3,0 3,1 3,2 3,3

Fig. 1.Output bytes in odd and even rounds ofLEX

in different rounds are shown in Figure 1by the colored squares. Therefore each encryption produces 40 bytes of key stream.

After 500 encryptions, anotherIV_{is chosen, and the process is repeated. After} 232_{differentIVs the key is replaced. Hence under this restriction by a single secret}

key we can get at most 500×232_{×40 bytes of key stream = 2}46.3_{bytes of keystream.}

2.3 Notations

In the rest of this paperAES_{will refer to the cipher}AES0_{as described in Section 2.2.} The bytes of any intermediate state matrixB, of anAES_{encryption are denoted} by{Bi,j}

3

i,j=0. Let E and E0 be two AESencryptions. The secret key forE is K

and that forE0_isK∗_{. Let an intermediate state matrix ofE(E}0_{) beB(B}0_{). Then} the difference betweenB andB0 _{be denoted by∆B. The bytes of∆Bare denoted} by{∆Bi,j}

3

i,j=0. Ther

th_{round key derived from a keyK is named asK}r_{and its}

bytes are

Kr

i,j

3

i,j=0.

In our analysis we have used two related keysKandK∗_{. The difference between} bytes of rth _{round key derived from K and K∗ is}

∆Kr

i,j

3

i,j=0. In this work SB(x) denotes the output difference for an input difference of xto the SubByte

operation. On the other hand SubByte(x) denotes the output byte value for an input byte value of xto the SubByte operation. Throughout this work we have used mathematical operations inGF(28_{). So the symbol ’+’ in this work refers to}

the operation xor.

2.4 Properties of AES_{SubBytes operation}

Throughout this work we use the following properties of AES_{SubBytes operation.}

Property 1. Given every non-zero input and output difference pair for the Sub-Bytes operation, there are at most 4 input-output pairs which produce the given differences

Property 2. Given any non zero input(output) difference to the SubByte operation, there are a total of 127 output(input) differences possible.

As a result, given a non zero input difference β to the SubByte operation and a random non zero difference γ, probability of the event that γ can be obtained using SubByte operation on differenceβ= 127

255 ≈

1 2.

The analysis proposed in this work is based on a special differential trail in the key schedule of LEX_{. We describe the differential trail below.}

3

Differential Trail in the Key Schedule of

LEX

Letαbe a 32-bit word. Letβ = SB(RotByte(α)). The operation RotByte and its use inAES_{is explained in [5]. Also αcan be expressed as [a, b, c, d]}T_{. a, b, c, dare} nonzero bytes. When we choose the key difference of the differential as

∆(Kr_{) = (α⊕β, β,0,0)}

we can easily show that the next six 128-bit subkeys starting from Kr _{used in} AES_{-128 have the following difference structure with probability 1:}

(α⊕β, β,0,0)

(α⊕β, α, α, α)

(α,0, α,0) (α, α,0,0) (α,0,0,0)

(α, α, α, α)

Here each row describes the differences between two subkeys for theAES_rounds, starting with the original key difference. In this key schedule we observe that starting from the third subkey to sixth subkey we have no sbox computation involved. This differential trail from third subkey to sixth subkey is depicted in theFigure 2. The box denotes SubBytes operation and ⊕denotes xor.

Fig. 2.Differential trail in the key scheduling ofAES. The box denotes SubBytes operation and⊕denotes xor

In the coming sections while doing related key cryptanalysis on LEX_{we shall} use this key schedule extensively. Here one thing needs to be noticed. If∆(K) is

(α⊕β, β,0,0) then at third round we shall have ∆(K3

) as (α,0, α,0). Hence if we want to have∆(Kr_{) as (α,0, α,0) in an odd round we can just set ∆(K) as}

This is indeed the trick applied to the coming sections. Hence whenever we talk aboutras an odd round, one can assume thatr= 3. In fact ifris any higher odd round the analysis of this paper have to use related-subkey cryptanalysis. This is more complex form of cryptanalysis and less practical compared to related-key based analysis.

So from this point we consider all the results provided in the later sections are based on related - keys and not on related - subkeys.

3.1 Special Differential Properties in the LEX _{State Matrices}

In this analysis we have used two related keys K and K∗_{. The r}th _{round keys} generated fromKandK∗ _{have the difference (α,0, α,0). Hereαis a 32 bit word} which can also be expressed as [a, b, c, d]T. Thus this difference pattern follows the differential trail shown in Section 3. Our cryptanalysis is successful in extracting secret state bytes when a special difference pattern appears just before the Ad-dRoundKey step of the rth _{round. We first describe how to find the difference} pattern using the key streams.

Consider twoAES_{encryptions generated by keysK and K}∗_{. HereK and K}∗ are related keys. Let us consider the event when the state matrices just before therth_{AddRoundKey operation in both encryptions will have zero differences in} 12 specific byte positions. Mathematically, if the corresponding differential state matrix is denoted by ∆b, then {∆b0,0, ∆b0,1, ∆b0,2, ∆b0,3, ∆b1,0, ∆b1,2, ∆b2,0, ∆b2,1, ∆b2,2, ∆b2,3, ∆b3,0, ∆b3,2}= 0, and{∆b1,1, ∆b1,3, ∆b3,1, ∆b3,3}are non zero

values. This pattern is shown in Figure 3 along with the value of the differences after therth _{AddRoundkey operation.}

0 0 0 0

0 0 0

0 a a b b c c

d d 0

0

0 0

0 0 0 0 0

0 0

0

0 0

0 a a b b c c

d d

0 ARK

Kr ∆

Fig. 3.The Special Difference Pattern

Next we compute the minimum number of key streams required to obtain such a difference pattern. Let the AES _{encryptions under the key K be sequenced as}

E1, E2. . . En, and with the keyK∗be denoted asE10, E02. . . En0. The two colliding

AES_{encryption pairs are obtained from the two sequences and may be denoted as}

Ei andEj0.

It can be shown that the optimal value ofnis 248 _{and hence to get a colliding}

pair with high probability we need 248_{encryptions by the key}

K. For each of them we have to consider 248 _{encryptions by the key}

K∗_{. So there are a total of 2}96

pairs.

Now using a 32 bit condition on the key stream we shall reduce the number of pairs to be considered. LetEiandEj0 have a collision. If the state matrix afterrth round ofEi is denoted byB, then ∆B0,0, ∆B2,0, ∆B0,2, ∆B2,2 should bea, c, a, c

respectively. It is expected that out of 296 _{pairs only 2}64 _{pairs will satisfy this}

condition.

Also if the state matrix after (r+ 1)th _{round of E}

i is denoted by C, we can observe the differences∆C0,1, ∆C0,3, ∆C2,1, ∆C2,3for the remaining 264pairs from

the key stream. Using the propagation of difference pattern it can be shown that these values need to satisfy 4 non linear equations.

Using Property 2 of Section 2.4, the probability of satisfying all of these 4 equations is 2−4_{. So after checking this condition, out of 2}64 _{pairs only 2}60 _pairs

need to be considered.

The algorithm presented in the next Section uses this difference pattern. Hence we have to repeat the analysis procedure explained in that Section for each of the 260

pairs to extract secret state bytes.

4

Algorithm to Recover Secret State Bytes

So far we have stated all the necessary properties required for our attack. In this Section using those properties we describe our algorithm which recovers certain state bytes of LEX_{. Our algorithm consists of two steps as presented below.}

1. This step retrieves 8 bytes of the state matrix after round r. Let Ei andEj0 form a colliding encryption pair. Then the special difference shown inFigure 3 holds for this pair. Now we shall concentrate on the propagation of this special difference pattern through round (r+1). This propagation is shown inFigure 4. We shall explain the rest of this step using this Figure.

ARK

ARK Kr

r + 1

K SB SR MC 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 a a a a aa b b b b b a c c c c c c d d d d d d a’ a’ b’ b’ c’ c’ d’ d’ γ γ γ γ 1 1 b 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 4 3 2 ∆

Matrix ∆B Matrix ∆C

∆

We know the actual values of the colored bytes of Figure 4 from the key stream. The symbols written in the byte positions are corresponding differ-ences obtained for the pair Ei and Ej0. Let us first express the differences

a1, a2, b1, b2, c1, c2, d1, d2 in Figure 4 in terms of known differences a, b, c, d .

The difference of therth_{subkeys forE}

i andEj0 is known from the related key differential of Section 3 and shown inFigure 4. Observing the differences before and after xoring with round keyKr_{and using the linearity of ARK operation} we immediately geta1 =a2 =a, b1 =b2 =b, c1 =c2 =c, d1 =d2 =d. In

Figure 4x0_{denotes output difference after SubByte operation applied to input} differencex. Mathematically if xis a difference, x0 _{=SB(x) wherexcan be}

a1, a2, b1, b2, c1, c2, d1 ord2.

Now we observe the differences between the key stream generated byEi and

E0

jafter (r+1)thround. From the related key differentials inLEX(Section 3) we know the subkey difference∆Kr+1_{as shown inFigure 4. Hence using the}

lin-earity of ARK operation we can get the values of the differencesγ1, γ2, γ3, γ4in

Figure 4. Let us denote the state matrix after SR operation of (r+ 1)th_round as B. C is the state matrix after applying MC operation to B. Then using the linearity of MC operation we can express each of ∆C0,1, ∆C2,1 as linear

combination ofb0

2, d01. Also ∆C0,3, ∆C2,3 can be expressed as linear

combina-tion ofb0

1, d02. Since∆C0,1, ∆C2,1, ∆C0,3, ∆C2,3 are nothing but known values γ1, γ2, γ3, γ4respectively hence we get 4 equations in 4 variablesb10, b02, d01, d02,

The attacker deducesb0

1, b02, d01, d02from these equations. By virtue of knowing

the differencesb, d we know b1, b2, d1, d2. Hence using Property 1 of Section

2.4, actual values of bytes corresponding to these four differencesb1, b2, d1, d2

can be retrieved by four table look ups. In this way we recover four bytes of the state matrix after therth _{round. Combined with the bytes we get from} the key stream a total of eight bytes of the state matrix after therth _{round is} known. The bytes of round (r+ 1) whose actual values are known after this step are shown inFigure 5by coloring them.

ARK

K

SB SR

r

Fig. 5.Known bytes after first step of algorithm

2. We recover some more bytes of another state matrix in this step. We continue with the colliding encryption pairEi andEj0 from step 1. Here we concentrate on the propagation of differences in therth_{round.Figure 6shows the} differ-ences of different bytes in therth _{round. The bytes whose actual values are} known to us from the key stream are colored. In this diagram, all ofc1, c2, c3, c4

are differences we can get directly from the key stream. We want to determine

xi,i= 1,2, . . . ,8. They are unknown differences.

Here G is the state matrix after SR operation of round r in the encryption

0 0 0 0 0 0 0 0 0 0 0 0 x x x x 5 6 7 8 0 0 0 0 x x x x 5 6 7 8 a a b b c c d d ARK

Kr −1

SB SR MC c c c c x x x x 1 1 2 2 3 3 4 4 0 0 0 0 a a b b c c d d 0 0 0 0 ARK Kr Matrix Matrix

Matrix ∆ ∆ ∆ G H A ∆ ∆

Fig. 6.Propagation of differences in roundr

with corresponding columns of∆H. In this way we can form 8 linear equations involvingxis,i= 1,2, ...,8.

We solve this system of linear equation and in particular focus on the values ofx1, x2, x3, x4 i. e the values of∆G1,1, ∆G1,3, ∆G3,1, ∆G3,3. Thus we get the

total 2nd _{and 4}th _{column of∆G. Next we guess the actual values of the 2}nd and 4th _{column of the matrixG. This takes a complexity of 2}32_{. Hence using}

the MC operation we get the actual values of 2nd _{and 4}th _{column of H too.} Let the state matrix at the end ofrth_{round ofE}

i is denoted byA. Using the values of x5, x6, x7, x8 combined with the known value of ∆Kr we know the

2nd _{and 4}th _{column of ∆A. The bytes whose actual values are known after} step 2 are shown inFigure 7by coloring them.

ARK Kr MC 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 a a b b c c d d x x x x x x x x 5 6 7 8 5 6 7 8 Matrix A Matrix H Matrix G c c c c x x x 1 2 3 4 1 2 3 x 4

Fig. 7.Known bytes after second step of the algorithm

5

Analysis of the algorithm

5.1 Complexity Analysis

The algorithm depends on finding the special difference pattern mentioned in Section 3.1. We also state in the same section that we need a minimum of 248

encryptions under each of the key K and K∗_{. Hence the total number of key} stream bytes required is≈254.3_{. This is the data complexity of the algorithm.}

Step 1 of the algorithm has a complexity of 24_{on average. The second step has}

key suggestions. Thus the 2 steps of the attack procedure have a total complexity of 236_{. We have to repeat this procedure for 2}60 _{pairs as explained in Section 3.1.}

Hence the time complexity of the algorithm is 296_.

5.2 Efficiency of the Algorithm

In this Section we show that the algorithm retrieves the intermediate state bytes more efficiently than brute force search.

We can see fromFigure 7we have recovered 8 bytes of matrixH and 8 bytes of matrixA. These 8 bytes of matrixAalso include 4 bytes given by the key stream. Hence we have recovered total 12 secret state bytes of matrixH andA.

A careful look at the algorithm reveals that we have retrieved not only secret bytes of matrixAand matrixH for the encryptionEibut also the corresponding secret bytes ofE0

j. So we have retrieved 24 bytes of secret data with a cost of 2

96_.

This is much lesser than an exhaustive search for these 24 bytes which should cost 2192_.

In the following Section we present a tweaked version ofLEX_{which is resistant} against all the attacks mentioned so far in this paper.

6

Proposal of the tweaked version of

LEX

_:

TweLEX

In this Section we propose a modification of LEX_{which provides resistance against} existing attacks on LEX_{. We also argue that this simple modification provides} protection against any kind of differential attack onLEX_.

6.1 Modification of LEX

We have seen that the most important part of the design of LEX_{is wherefrom a} designer should output the bytes. Let after an odd round the state matrix isM

and in the next round, which is essentially an even round the state matrix isN. Then in the basic design the output bytes for those two consecutive rounds would have been M0,0, M0,2, M2,0, M2,2, N0,1, N0,3, N2,1, N2,3. In the tweaked

ver-sion ofLEX_{we shall output (M0,0⊕N0,1),(M0,2⊕N0,3),(M2,0⊕N2,1),(M2,2⊕N2,3).} We call the resulting stream cipher TweLEX_{. It is advisable to change the secret} key of the cipher at least every 232 _{IV set ups, and to change the IV after every} T = 1000 iterations to prevent algebraic attacks.

We output 4 bytes after every twoAES_{round. This indeed halves the} through-put of LEX _{but it provides better security than the actual} LEX_{. We shall now} provide some argument in order to justify the design.

6.2 Security Analysis of TweLEX

Protection Against the Key Recovery attack by Dunkelman: The attack in [4] relies on finding the event that the difference between two state matrices is zero at 8 specific bytes. The probability of this event is 2−64_.

They have used a 32 bit filter on the output key stream of LEX_{. This filter} effectively reduces the complexity of their algorithm by a factor of 232_{. InTweLEX}

the adversary does not directly know the values of state bytes. Hence he could not use the 32 bit filter and the complexity of attack will become 2112_×232 _{= 2}144_.

This is worse than a brute force attack.

Protection Against the state byte recovery attack proposed in this work:

In this work we have used filters on the key stream of LEX_{to find out a differential} pattern. Hence using a argument similar to previous paragraph we can show that our attack is ineffective agaisntTweLEX_.

Protection Against other Differential Attacks: A close look on all the dif-ferential attacks on AES_or LEX _{which relies on differential propagation through} rounds reveals a similarity. All of them use the Property 1 of Section 2.4. They try to locate input-output difference pairs for theAES_{S-box and using a table look up} retrieve corresponding actual input-output byte values.

Let us use this strategy for TweLEX_{. We assume that we have two or more} key streams generated by TweLEX_{. By construction the key stream will be xor of} certain state bytes. Using some differential propagation on the differences of two key streams one can retrieve some output differences forAES_{s-box for certain bytes} of the state matrix. Then it can be shown that, using Property 1 of Section 2.4, it is not possible to retrieve the state bytes with a complexity better than brute force search. Hence this is apparent that any strategy that uses the Property 1 of Section 2.4 will fail against this modified version of LEX_.

7

Conclusion

In this paper we have revisited the stream cipherLEX_{and have presented a related} key cryptanalysis for the cipher. Consequently we proposedTweLEX_{, a modification} of LEX _{which prevents the existing attacks on} LEX_{. Although the throughput of} TweLEX_{is half of} LEX_{it provides a good optimization between speed and security} and attempts to show thatleak extractionas an elegant method to design stream ciphers.

References

1. Alex Biryukov, “A New 128-bit Key Stream Cipher LEX,” Ecrypt Stream Cipher Project Report, 2005/013, 2005, http://ecrypt.eu.org/stream.

2. H. Wu and B. Preneel, “Attacking the IV setup of the stream cipher LEX,” Ecrypt Stream Cipher Project Report, 2005/059, 2005, http://ecrypt.eu.org/stream. 3. H˚akan Englund, Martin Hell and Thomas Johansson, “A Note on Distinguishing

attacks,” in Preproceedings of State of the Art of Stream Ciphers workshop (SASC

2007), 2007, pp. 73–78.

4. Orr Dunkelman and Nathan Keller, “A new attack on the lex stream cipher,” in

ASIACRYPT, 2008, pp. 539–556.